pentestfail
commented
6 years ago Hi Fairux,
There are a couple of scenarios I've observed this behavior which usually are caused by the authentication requirements of the Salesforce organization or permissions of the account being used. The account Splunk uses must be able to access the Salesforce UI (not configured for "API only access") as a normal user would as it leverages a UI only function to export the CSV report and overcome Salesforce's reporting API row limitation complexities.
Before going into more detailed steps, first try removing the "security token" from the account configuration in the TA and test to see if any errors are generated which are more descriptive or if the report indexes correctly. If not, investigate the items below and let me know what you find.
Things to troubleshoot:
- Confirm your Salesforce authentication is not being redirected to non-Salesforce authentication system (Active Directory, SAML, etc.) as this is not supported
- Confirm the account is not "API only"
- Confirm Splunk host running the input is egressing any Salesforce organizational/account IP whitelists (if configured)
- Confirm the account being used is able to log into the Salesforce UI directly and access the configured report else troubleshoot account and/or report permissions
For some additional info on the Salesforce side see this article: https://developer.salesforce.com/docs/atlas.en-us.api.meta/api/sforce_api_concepts_security.htm
Fairux
Akash-Banerjee
Hi dev team,
I'm trying to index some reports, I've successfully configured my account / password / token.
However, when I query the selected index, I get 7 events all like this:
I do not see any error in my DEBUG internal logs, I can see the query is going thru, and I see the seven indexed events.
I was wondering if according to the app description it will download a local CSV file and then it will monitor, this part is not clear, could you please give me insights on this?.
All help will be appreciated.
F.